Skip Headers
Oracle® Identity Manager Best Practices Guide
Release 9.0.3

Part Number B32451-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

7 Integrating with Oracle Application Server Single Sign-On

This chapter describes how to use Oracle Application Server (OracleAS) Single Sign-On, a component of OracleAS, to manage user authentication and authorization when a user logs in to Oracle Identity Manager.

See Also:

The Oracle Application Server Single Sign-On Administrator's Guide for more information about deploying OracleAS Single Sign-On.

This chapter assumes you are familiar with OracleAS Single Sign-On and Oracle Identity Management infrastructure, and that you have the required components, including your application server, web server, Oracle Identity Manager, OracleAS Single Sign-On, and Oracle Internet Directory, already installed.

Important:

Several different configurations, including application and web servers, are possible in an Oracle Identity Manager and OracleAS Single Sign-On environment.

To demonstrate one possible configuration, this chapter describes how to integrate with OracleAS Single Sign-On using the Oracle Containers for J2EE (OC4J) application server and the Oracle Application Server OC4J Internet Information Server (IIS) Plugin plugin. The information in this chapter is based on IIS version 6.0.

Refer to your application and web server vendor's documentation for more information about configuring single sign-on.

This chapter covers the following topics:

Setting Up OC4J IIS Plugin to Communicate with OracleAS Single Sign-On

You must install and configure the Oracle Application Server OC4J Plugin, which is an IIS plugin for OC4J, so that the OC4J application server can communicate with the OracleAS Single Sign-On server. The Oracle Application Server OC4J Plugin is a file named opii.dll.

Perform the following steps to install and configure the Oracle Application Server OC4J Plugin:

  1. Download the Oracle Application Server OC4J Plugin from the Oracle Technology Network (OTN) using the following steps:

    1. Go to the OTN Web site at the following URL:

      http://www.oracle.com/technology/index.html

    2. Click Downloads on the horizontal navigation menu at the top of the page.

    3. Scroll to the Middleware section of the page and click SOA Suite in the Developer Tools section.

    4. Click See All in the Oracle SOA Suite 10g Release 3 (10.1.3.1.0) section.

    5. Expand the Oracle SOA Suite 10g Companion CD entry and you will see the Oracle Application Server OC4J Plugin listed as a component.

    6. Download CD1 for the Oracle SOA Suite 10g Companion CD by clicking CD1 for the appropriate operating system.

  2. Open your Registry Editor and perform the following steps:

    Note:

    This procedure uses example steps using regedit.
    1. Click HKEY_LOCAL_MACHINE, then click SOFTWARE, then right-click Oracle and select New, then select Key, and name it opii.

    2. Right-click the opii entry, select New, then select String Value and name the String Value log_file.

    3. Right-click the log_file entry and select Modify. The Edit String dialog box appears.

    4. Enter a path in the Value data field to location where you want to keep the opii log file and click OK.

    5. Right-click the opii entry, select New, then select String Value and name the String Value log_level. This log_level string value specifies the desired log level for opii, for which debug, inform, error, and emerg are valid values.

    6. Right-click the opii entry, select New, then select String Value and name the String Value server_defs.

    7. Right-click the server_def String Value and select Modify. The Edit String dialog box appears.

    8. Enter a path to the location where the opii.conf file will reside. You will create the opii.conf file in step 9.

  3. Start the IIS Management Console, then expand the entry for the node hosting the IIS server that will communicate with the OracleAS Single Sign-On server, then expand the Web Sites entry, then right-click the Default Web Sites entry and select New, then select Virtual Directory. The Virtual Directory Creation Wizard appears. Click Next and perform the following steps:

    1. Enter opii in the Alias Name field and click Next.

    2. Enter the location where the opii.dll file is located in the Path field and click Next.

    3. Select the Read, Run scripts, and Execute options on the Virtual Directory Access Permissions screen and click Next. Click Finish to close the Virtual Directory Creation Wizard.

  4. Add the opii.dll Oracle Application Server OC4J Plugin as a filter to your IIS web sites using the following steps:

    1. In the IIS Management Console, right-click the Default Web Sites entry and select Properties. The Default Web Site Properties dialog box appears.

    2. Click the ISAPI Filters tab and click Add.

    3. Enter opii in the Filter Name field.

    4. Enter the path to the location of the opii.dll Oracle Application Server OC4J Plugin in the Executable field.

    5. Click OK on the Add/Edit Filter Properties dialog box. Click OK on the Default Web Site Properties dialog box.

  5. Give permission to the IIS group on the <OSSO_HOME>\bin folder using the following steps:

    1. Right-click the <OSSO_HOME>\bin folder and select Properties.

    2. Click the Security tab.

    3. Add the IIS_WPG group with Read and Execute permissions.

  6. Restart the IIS server using the following steps from the IIS Management Console:

    1. Right-click the node hosting the IIS server that will communicate with the OracleAS Single Sign-On server, select All Tasks, and then select Restart IIS. The Stop/Start/Restart dialog box appears.

    2. Select Restart <the name of IIS server> and click OK.

    3. After the IIS server restarts, verify the opii.dll Oracle Application Server OC4J Plugin is running by right-clicking Default Web Sites, selecting Properties, selecting the ISAPI Filters tab, and confirming there is a green arrow pointing up for the opii filter.

  7. On the IIS Management Console, click Web Services Extensions, select opii, and then click the Allow button.

  8. Identify the port for the ajp13 protocol using the following steps:

    1. On the machine hosting the OC4J application server, open the <OC4J_HOME>\j2ee\<OC4J_INSTANCE>\config\default-web-site-.xml file in a text editor.

      Note:

      <OC4J_HOME> represents the location where OC4J is installed. <OC4J_INSTANCE> represents the name of the OC4J instance.
    2. Search for the string ajp13.

    3. Identify the port number for ajp13, for example 8889.

  9. Create a file named opii.conf in the opii directory that contains the following entries. The entries list the Oracle Identity Manager applications protected by OracleAS Single Sign-On, the name of the machine hosting Oracle Identity Manager (for example, host_name), and the port number for ajp13 (for example, ajp13 port number):

    Oc4jMount /xlWebApp ajp13://host_name:ajp13 port number
    Oc4jMount /xlWebApp/* ajp13://host_name:ajp13 port number
    Oc4jMount /xlScheduler ajp13://host_name:ajp13 port number
    Oc4jMount /xlScheduler/* ajp13://host_name:ajp13 port number
    Oc4jMount /Nexaweb ajp13://host_name:ajp13 port number
    Oc4jMount /Nexaweb/* ajp13://host_name:ajp13 port number 
    

Setting Up Oracle Identity Manager for Single Sign-On with OracleAS Single Sign-On

Perform the following steps to set up Oracle Identity Manager for integration with OracleAS Single Sign-On:

  1. Stop the application server gracefully.

  2. Launch a plain-text editor and open the following file:

    <XL_HOME>\xellerate\config\xlconfig.xml

  3. Locate the following Single Sign-On configuration (the following are the default settings without Single Sign-On):

    <web-client>
    <Authentication>Default</Authentication>
    <AuthHeader>REMOTE_USER</AuthHeader>
    </web-client>
    
    
  4. Edit the single sign-on configuration as follows.

    <web-client>
    <Authentication>SSO</Authentication>
    <AuthHeader>osso-username</AuthHeader>
    </web-client>
    
    

    To enable single sign-on with non-ASCII character logins you must include a decoding class name to decode the non-ASCII header value. Add the decoding class name and edit the single sign-on configuration as follows:

    <web-client>
    <Authentication>SSO</Authentication>
    <AuthHeader>osso-username</AuthHeader>
    <AuthHeaderDecoder>com.thortech.xl.security.auth.CoreIDSSOAuthHeaderDecoder</AuthHeaderDecoder>
    </web-client>
    
    
  5. Restart the application server.

Creating Single Sign-On User Accounts for Oracle Identity Manager Users

You must create an entry in Oracle Internet Directory for each Oracle Identity Manager user that will use OracleAS Single Sign-On for authentication. Oracle Internet Directory is the repository for all OracleAS Single Sign-On user accounts and passwords. The OracleAS Single Sign-On server authenticates users against their entries in Oracle Internet Directory.

Perform the following steps to create an entry in Oracle Internet Directory for each Oracle Identity Manager user that will use OracleAS Single Sign-On for authentication:

  1. Log in to the Oracle Delegated Administration Services home page at the following URL:

    http://host:port/oiddas/

    host represents the name of the computer where Oracle Delegated Administration Services is located, and port is the port number of this server. Oracle Delegated Administration Services and OracleAS Single Sign-On generally have the same host name.

  2. Click the Directory tab.

  3. Click Create on the Users tab.

  4. Create the information about the Oracle Identity Manager user by entering information in the following fields:

    • First Name

    • Last Name

    • User ID

      Note:

      The User's ID must be the same as User's ID for Oracle Identity Manager.
    • e-mail

    • Password for OracleAS Single Sign-On (and confirm by entering it twice)

  5. Create the user by clicking the Submit button.